SAP Security Notes, September 2024

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

September 2024 notes

Summary and highlights of the month

We have a total of 19 notes for the entire month (the 19 from Patch Tuesday, 16 new ones and 3 updates).

We will review in detail a total of 2 notes, the HotNews and the high note of the month, which are 2 updates (those with a CVSS score greater than or equal to 7).

  1. The most critical note of the month (with CVSS 9.8) is a HotNews related to “Missing Authentication check in SAP BusinessObjects Business Intelligence Platform”.
  2. The next in terms of criticality (CVSS 7.4) is another high note related to “Information Disclosure Vulnerability in SAP Commerce Cloud”.
  3. The following in criticality (CVSS 6.5) are 2 medium notes related to “Multiple vulnerabilities in SAP Replication Server (FOSS)” and “Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface)”.
  4. This month, the most predominant type is related to “Missing Authorization check in SAP” (6/19 on patch day).

In the chart, we can see the classification of the September notes, as well as the evolution and classification of the past 5 months (only notes from Sec. Tuesday / Patch Day – by SAP):

Full details

The complete detail of the most relevant notes is as follows:

  1.  Update – Missing Authentication check in SAP BusinessObjects Business Intelligence Platform (3479478): In SAP BusinessObjects Business Intelligence Platform, if Single Sign-On (SSO) is enabled in enterprise authentication, an unauthorized attacker can obtain a login token through a REST endpoint, which could compromise the entire system. This severely affects confidentiality, integrity and availability. The issue is fixed in the patches for SBOP BI PLATFORM SERVERS 4.3 and 2025 releases. CVSS v3 Base Score: 9,8 / 10 [CVE-2024-41730]
  2.  Update – Information Disclosure Vulnerability in SAP Commerce Cloud (3459935): Some OCC API endpoints in SAP Commerce Cloud allow including sensitive personally identifiable information (PII) data such as passwords, emails, mobile numbers… in the URL, which can compromise the confidentiality and integrity of the application. SAP Commerce Cloud addresses the vulnerability by creating new OCC API endpoints, which transmit sensitive data only through the request body. Customers must update their code to use the new secure endpoints. CVSS v3 Base Score 7,4 / 10 [CVE-2024-33003].

Reference links

Other references, from SAP and Onapsis (August):

Digital Library (sap.com)

SAP Patch Day: September 2024 – Onapsis

 

Resources affected

  • SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 430, 440
  • SAP Commerce Cloud, Versions – HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211
  • SAP Replication Server, Versions – 16.0.3, 16.0.4
  • SAP Production and Revenue Accounting (Tobin interface), Versions – S4CEXT 106, S4CEXT 107, S4CEXT 108, IS-PRA 605, IS-PRA 606, IS-PRA 616, IS-PRA 617, IS-PRA 618, IS-PRA 800, IS-PRA 801, IS-PRA 802, IS-PRA 803, IS-PRA 804, IS-PRA 805
  • SAP S/4HANA eProcurement, Versions – SAP_APPL 606, SAP_APPL 617, SAP_APPL 618, S4CORE 102, S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108
  • SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel), Versions – 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I
  • SAP NetWeaver AS for Java (Destination Service), Versions – 7.50
  • SAP Commerce Cloud, Version – COM_CLOUD 2211
  • SAP BusinessObjects Business Intelligence Platform, Version – 430
  • SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912
  • SAP NetWeaver AS Java (Logon Application), Version – 7.50
  • SAP NetWeaver Enterprise Portal, Version – 7.50
  • SAP Business Warehouse (BEx Analyzer), Versions – DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757, SAP_BW 758
  • SAP NetWeaver BW (BEx Analyzer), Versions – DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757, SAP_BW 758
  • SAP S/4 HANA, Version – 900
  • SAP for Oil & Gas, Versions – 600, 602, 603, 604, 605, 606, 617, 618, 800, 802, 803, 804, 805, 806, 807, 807
  • SAP Student Life Cycle Management (SLcM), Versions – 617, 618, 800, 802, 803, 804, 805, 806, 807, 808
  • SAP NetWeaver Application Server for ABAP and ABAP Platform, Version – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912
  • SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912

Did you like it?

Share it on social media!

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Categories

Calendar of posts

Our services

keyboard_arrow_up